Make sure certificate is verified when required by RestApiClientAsync (…

…#1620) Deprecates selfSignedCert: false bypasss
opencybersecurityalliance · Nov 27, 2023 · fdffad3 · fdffad3
1 parent c455ab2
commit fdffad3
Show file tree

Hide file tree

Showing 19 changed files with 138 additions and 121 deletions.
diff --git a/stix_shifter_modules/alertflex/stix_transmission/api_client.py b/stix_shifter_modules/alertflex/stix_transmission/api_client.py
@@ -18,7 +18,7 @@ def __init__(self, connection, configuration):
                                     connection.get('port'),
                                     headers,
                                     url_modifier_function,
-                                    cert_verify=connection.get('selfSignedCert', True))
+                                    cert_verify=connection.get('selfSignedCert'))
 
     async def ping_data_source(self):
         endpoint = self.endpoint_start + '/status'

diff --git a/stix_shifter_modules/arcsight/stix_transmission/api_client.py b/stix_shifter_modules/arcsight/stix_transmission/api_client.py
@@ -20,7 +20,7 @@ def __init__(self, connection, configuration):
         self.client = RestApiClientAsync(connection.get('host'),
                                     connection.get('port'),
                                     headers,
-                                    cert_verify=connection.get('selfSignedCert', True)
+                                    cert_verify=connection.get('selfSignedCert')
                                     )
 
     async def ping_data_source(self):

diff --git a/stix_shifter_modules/arcsight/tests/stix_transmission/test_arcsight.py b/stix_shifter_modules/arcsight/tests/stix_transmission/test_arcsight.py
@@ -23,15 +23,17 @@
 
 class TestArcsightConnection(TestCase):
     @staticmethod
-    def test_is_async():
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_is_async(self):
         """to check connector is async"""
         entry_point = EntryPoint(CONNECTION, CONFIG)
         check_async = entry_point.is_async()
         assert check_async
 
     @staticmethod
     @patch('stix_shifter_modules.arcsight.stix_transmission.api_client.APIClient.ping_data_source', autospec=True)
-    def test_ping(mock_ping):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_ping(self, mock_ping):
         """to check the ping status of connector"""
         mock_ping.return_value = get_mock_response(200, '{"sessionId":"2"}', 'byte')
         transmission = stix_transmission.StixTransmission('arcsight', CONNECTION, CONFIG)
@@ -43,7 +45,8 @@ def test_ping(mock_ping):
 
     @staticmethod
     @patch('stix_shifter_modules.arcsight.stix_transmission.api_client.APIClient.ping_data_source', autospec=True)
-    def test_ping_exception(mock_ping):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_ping_exception(self, mock_ping):
         """to check the ping exception of the connector"""
         mock_ping.return_value = get_mock_response(400, '{"errors": [{"code": 1009, "message": "Server session not '
                                                        'found"}]}', 'byte')
@@ -58,7 +61,8 @@ def test_ping_exception(mock_ping):
 
     @staticmethod
     @patch('stix_shifter_modules.arcsight.stix_transmission.api_client.APIClient.ping_data_source', autospec=True)
-    def test_auth_exception(mock_ping):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_auth_exception(self, mock_ping):
         """to check auth token generation exception"""
         mock_ping.return_value = get_mock_response(503, '{"error": "Unauthorized"}', 'byte')
         transmission = stix_transmission.StixTransmission('arcsight', CONNECTION, CONFIG)
@@ -73,7 +77,8 @@ def test_auth_exception(mock_ping):
     @staticmethod
     @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api', autospec=True)
     @patch('stix_shifter_modules.arcsight.stix_transmission.api_client.APIClient.get_user_session_id')
-    def test_create_query_connection(mock_session_id, mock_query_res):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_create_query_connection(self, mock_session_id, mock_query_res):
         """to create the query search and get search id"""
         mock_session_id.return_value = 'Dhoup23b3wL7tBlWWIeFPg8JHEf29qD1tNRJba4Jsyg.'
         mock_query_res.return_value = get_mock_response(200, '{"sessionId":"2"}', 'byte')
@@ -90,7 +95,8 @@ def test_create_query_connection(mock_session_id, mock_query_res):
     @staticmethod
     @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api', autospec=True)
     @patch('stix_shifter_modules.arcsight.stix_transmission.api_client.APIClient.get_user_session_id')
-    def test_create_query_error(mock_session_id, mock_query_res):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_create_query_error(self, mock_session_id, mock_query_res):
         """query search error check"""
         mock_session_id.return_value = 'Dhoup23b3wL7tBlWWIeFPg8JHEf29qD1tNRJba4Jsyg.'
         mock_query_res.return_value = get_mock_response(400, '{"errors": [{"code": 1111, '
@@ -109,7 +115,8 @@ def test_create_query_error(mock_session_id, mock_query_res):
 
     @staticmethod
     @patch('stix_shifter_modules.arcsight.stix_transmission.api_client.APIClient.create_search')
-    def test_create_query_exception(mock_query_exception):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_create_query_exception(self, mock_query_exception):
         """query search exception handling"""
         mock_query_exception.side_effect = ConnectionError(
             "('Connection aborted.', ConnectionResetError(10054, 'An existing "
@@ -128,7 +135,8 @@ def test_create_query_exception(mock_query_exception):
 
     @staticmethod
     @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api')
-    def test_create_results(mock_create_results):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_create_results(self, mock_create_results):
         """to get the search results"""
         response = {
             "fields": [{
@@ -194,7 +202,8 @@ def test_create_results(mock_create_results):
 
     @staticmethod
     @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api')
-    def test_create_results_registry(mock_create_results):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_create_results_registry(self, mock_create_results):
         """to get search result with registry - connector specific"""
         response = {
             "fields": [{
@@ -251,7 +260,8 @@ def test_create_results_registry(mock_create_results):
 
     @staticmethod
     @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api')
-    def test_create_results_empty(mock_create_results):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_create_results_empty(self, mock_create_results):
         """to get query results with empty response"""
         response = {}
         mock_create_results.return_value = get_mock_response(200, json.dumps(response), 'byte')
@@ -268,7 +278,8 @@ def test_create_results_empty(mock_create_results):
 
     @staticmethod
     @patch('stix_shifter_modules.arcsight.stix_transmission.api_client.APIClient.get_search_results')
-    def test_create_results_exception(mock_create_results):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_create_results_exception(self, mock_create_results):
         """to get http exception in result search"""
         mock_create_results.side_effect = ConnectionError(
             "('Connection aborted.', ConnectionResetError(10054, 'An existing "
@@ -287,7 +298,8 @@ def test_create_results_exception(mock_create_results):
 
     @staticmethod
     @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api')
-    def test_result_error(mock_delete_error):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_result_error(self, mock_delete_error):
         """to get error in result search"""
         error = {"errors": [{'code': 1009, 'message': 'Server session not found'}]}
         mock_delete_error.return_value = get_mock_response(400, json.dumps(error), 'byte')
@@ -302,7 +314,8 @@ def test_result_error(mock_delete_error):
 
     @staticmethod
     @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api')
-    def test_delete_query_connection(mock_delete_query):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_delete_query_connection(self, mock_delete_query):
         """to delete the query search using search id"""
         mock_delete_query.return_value = get_mock_response(200, "", 'byte')
         transmission = stix_transmission.StixTransmission('arcsight', CONNECTION, CONFIG)
@@ -314,7 +327,8 @@ def test_delete_query_connection(mock_delete_query):
 
     @staticmethod
     @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api')
-    def test_delete_query_error(mock_delete_error):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_delete_query_error(self, mock_delete_error):
         """to delete the query with invalid session id - error"""
         error = {"errors": [{"code": 1002, "message": "User session BCP7NIkbiLBkXx2FwdkU7ma9O7bJAWng1k. is not valid"}]}
         mock_delete_error.return_value = get_mock_response(400, json.dumps(error), 'byte')
@@ -330,7 +344,8 @@ def test_delete_query_error(mock_delete_error):
 
     @staticmethod
     @patch('stix_shifter_modules.arcsight.stix_transmission.api_client.APIClient.delete_search')
-    def test_delete_query_exception(mock_delete_exception):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_delete_query_exception(self, mock_delete_exception):
         """to get http exception when delete the query search"""
         mock_delete_exception.side_effect = ConnectionError(
             "('Connection aborted.', ConnectionResetError(10054, 'An existing "
@@ -347,7 +362,8 @@ def test_delete_query_exception(mock_delete_exception):
 
     @staticmethod
     @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api')
-    def test_create_status(mock_create_status):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_create_status(self, mock_create_status):
         """to get search status of the query - COMPLETED"""
         response = {'status': 'complete', 'result_type': 'histogram', 'hit': 1004,
                     'scanned': 1561219, 'elapsed': '00:00:00.530', 'message': []}
@@ -363,7 +379,8 @@ def test_create_status(mock_create_status):
 
     @staticmethod
     @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api')
-    def test_create_status_running(mock_create_status):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_create_status_running(self, mock_create_status):
         """to get search status of the query - RUNNING"""
         response = {'status': 'running', 'result_type': 'histogram', 'hit': 2000,
                     'scanned': 1561210, 'elapsed': '00:00:00.530', 'message': []}
@@ -380,7 +397,8 @@ def test_create_status_running(mock_create_status):
 
     @staticmethod
     @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api')
-    def test_create_status_complete(mock_create_status):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_create_status_complete(self, mock_create_status):
         """to get search status of the query - COMPLETED"""
         response = {'status': 'running', 'result_type': 'histogram', 'hit': 5000,
                     'scanned': 1561210, 'elapsed': '00:00:00.530', 'message': []}
@@ -397,7 +415,8 @@ def test_create_status_complete(mock_create_status):
 
     @staticmethod
     @patch('stix_shifter_modules.arcsight.stix_transmission.api_client.APIClient.get_search_status')
-    def test_create_status_exception(mock_status_exception):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_create_status_exception(self, mock_status_exception):
         """to get http exception when status check"""
         mock_status_exception.side_effect = ConnectionError(
             "('Connection aborted.', ConnectionResetError(10054, 'An existing "
@@ -412,7 +431,8 @@ def test_create_status_exception(mock_status_exception):
 
     @staticmethod
     @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api')
-    def test_status_error(mock_delete_error):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_status_error(self, mock_delete_error):
         """to get error when check with invalid user session id"""
         error = {"errors": [{"code": 1002, "message": "User session BCP7NIkbiLBkXx2FwdkU7ma9O7bJAWng1k. is not valid"}]}
         mock_delete_error.return_value = get_mock_response(400, json.dumps(error), 'byte')
@@ -429,7 +449,8 @@ def test_status_error(mock_delete_error):
     @patch('stix_shifter_modules.arcsight.stix_transmission.api_client.APIClient.delete_search')
     @patch('stix_shifter_modules.arcsight.stix_transmission.api_client.APIClient.get_search_status')
     @patch('stix_shifter_modules.arcsight.stix_transmission.api_client.APIClient.get_search_results')
-    def test_arcsight_logger_down(mock_results, mock_status, mock_delete):
+    @patch('ssl.SSLContext.load_verify_locations')
+    def test_arcsight_logger_down(self, mock_results, mock_status, mock_delete):
         """arcsight logger down error"""
         error = 'The application is currently unavailable. Please retry shortly.'
         mock_results.return_value = get_mock_response(503, error, 'byte')

diff --git a/stix_shifter_modules/azure_log_analytics/stix_transmission/api_client.py b/stix_shifter_modules/azure_log_analytics/stix_transmission/api_client.py
@@ -31,7 +31,7 @@ async def init_async_client(self):
         self.client = RestApiClientAsync(self.host,
                                     self.connection.get('port', None),
                                     headers,
-                                    cert_verify=self.connection.get('selfSignedCert', True)
+                                    cert_verify=self.connection.get('selfSignedCert')
                                     )
 
     async def ping_box(self):

diff --git a/stix_shifter_modules/carbonblack/stix_transmission/api_client.py b/stix_shifter_modules/carbonblack/stix_transmission/api_client.py
@@ -14,7 +14,7 @@ def __init__(self, connection, configuration):
         self.client = RestApiClientAsync(connection.get('host'),
                                     connection.get('port'),
                                     headers,
-                                    cert_verify=connection.get('selfSignedCert', True)
+                                    cert_verify=connection.get('selfSignedCert')
                                     )
         self.timeout = connection['options'].get('timeout')
 

diff --git a/stix_shifter_modules/cbcloud/stix_transmission/api_client.py b/stix_shifter_modules/cbcloud/stix_transmission/api_client.py
@@ -26,7 +26,7 @@ def __init__(self, connection, configuration):
             connection.get('host'),
             connection.get('port'),
             headers,
-            cert_verify=connection.get('selfSignedCert', True)
+            cert_verify=connection.get('selfSignedCert')
         )
         self.timeout = connection['options'].get('timeout')
         self.result_limit = connection['options'].get('result_limit')

diff --git a/stix_shifter_modules/cisco_secure_email/stix_transmission/api_client.py b/stix_shifter_modules/cisco_secure_email/stix_transmission/api_client.py
@@ -13,7 +13,7 @@ def __init__(self, connection, configuration):
         self.auth = configuration.get('auth')
         self.headers = {'Content-Type': 'application/json'}
         self.client = RestApiClientAsync(connection.get('host'), connection.get('port'), headers=self.headers,
-                                         cert_verify=connection.get('selfSignedCert', True))
+                                         cert_verify=connection.get('selfSignedCert'))
         self.result_limit = connection['options'].get('result_limit')
         self.timeout = connection['options'].get('timeout')
 

diff --git a/stix_shifter_modules/crowdstrike/stix_transmission/api_client.py b/stix_shifter_modules/crowdstrike/stix_transmission/api_client.py
@@ -23,8 +23,7 @@ def __init__(self, connection, configuration):
         self.client = RestApiClientAsync(connection.get('host'),
                                     connection.get('port', None),
                                     headers,
-                                    url_modifier_function=url_modifier_function,
-                                    cert_verify=connection.get('selfSignedCert', True)
+                                    url_modifier_function=url_modifier_function
                                     )
         self.timeout = connection['options'].get('timeout')
         self._client_id = auth['client_id']

diff --git a/stix_shifter_modules/elastic_ecs/stix_transmission/api_client.py b/stix_shifter_modules/elastic_ecs/stix_transmission/api_client.py
@@ -50,7 +50,7 @@ def __init__(self, connection, configuration):
                                     connection.get('port'),
                                     headers,
                                     url_modifier_function=url_modifier_function,
-                                    cert_verify=connection.get('selfSignedCert', True)
+                                    cert_verify=connection.get('selfSignedCert')
                                     )
 
         self.timeout = connection['options'].get('timeout')

diff --git a/stix_shifter_modules/elastic_ecs/tests/stix_transmission/test_elastic_ecs.py b/stix_shifter_modules/elastic_ecs/tests/stix_transmission/test_elastic_ecs.py
@@ -17,7 +17,9 @@ def test_is_async(self):
 
         assert check_async is False
 
+    @staticmethod
     @patch('stix_shifter_modules.elastic_ecs.stix_transmission.api_client.APIClient.ping_box')
+    @patch('ssl.SSLContext.load_verify_locations')
     def test_ping_endpoint(self, mock_ping_response):
         mocked_return_value = '["mock", "placeholder"]'
 
@@ -42,7 +44,9 @@ def test_ping_endpoint(self, mock_ping_response):
         assert ping_response is not None
         assert ping_response['success']
 
+    @staticmethod
     @patch('stix_shifter_modules.elastic_ecs.stix_transmission.api_client.APIClient.ping_box')
+    @patch('ssl.SSLContext.load_verify_locations')
     def test_ping_endpoint_exception(self, mock_ping_response):
         mock_ping_response.side_effect = UnexpectedResponseException('exception')
         config = {
@@ -66,8 +70,9 @@ def test_ping_endpoint_exception(self, mock_ping_response):
         assert ping_response is not None
         assert ping_response['success'] is False
         assert ping_response['code'] == ErrorCode.TRANSMISSION_UNKNOWN.value
-
-
+
+    @staticmethod
+    @patch('ssl.SSLContext.load_verify_locations')
     def test_query_response(self):
         config = {
             "auth": {
@@ -91,7 +96,9 @@ def test_query_response(self):
         assert 'search_id' in query_response
         assert query_response['search_id'] == query
 
+    @staticmethod
     @patch('stix_shifter_modules.elastic_ecs.stix_transmission.api_client.APIClient.search_pagination', autospec=True)
+    @patch('ssl.SSLContext.load_verify_locations')
     def test_results_response(self, mock_results_response):
         mocked_return_value = """ {
                     "hits" : {
@@ -179,11 +186,12 @@ def test_results_response_exception(self, mock_results_response):
         transmission = stix_transmission.StixTransmission('elastic_ecs', connection, config)
         results_response = transmission.results(search_id, offset, length)
 
-        assert results_response['code'] == 'unknown'
+        assert results_response['code'] == 'certificate_fail'
         assert results_response['success'] is False
 
-
+    @staticmethod
     @patch('stix_shifter_modules.elastic_ecs.stix_transmission.api_client.APIClient.search_pagination', autospec=True)
+    @patch('ssl.SSLContext.load_verify_locations')
     def test_query_flow(self, mock_results_response):
         results_mock = """ {
                     "hits" : {
@@ -253,8 +261,9 @@ def test_query_flow(self, mock_results_response):
         assert len(results_response['data']) > 0
         assert len(results_response['metadata']) >= 1
 
-
+    @staticmethod
     @patch('stix_shifter_modules.elastic_ecs.stix_transmission.api_client.APIClient.get_max_result_window', autospec=True)
+    @patch('ssl.SSLContext.load_verify_locations')
     def test_pagesize(self, mock_results_response):
         mocked_return_value = """ {
                 "index1": {
@@ -306,7 +315,9 @@ def test_pagesize(self, mock_results_response):
 
         assert max_result_window == 20000
 
+    @staticmethod
     @patch('stix_shifter_modules.elastic_ecs.stix_transmission.api_client.APIClient.get_max_result_window')
+    @patch('ssl.SSLContext.load_verify_locations')
     def test_pagesize_exception(self, mock_result_response):
         mocked_return_value = '["mock", "placeholder"]'
         mock_result_response.return_value = get_mock_response(200, mocked_return_value, 'byte')

diff --git a/stix_shifter_modules/infoblox/stix_transmission/api_client.py b/stix_shifter_modules/infoblox/stix_transmission/api_client.py
@@ -49,7 +49,7 @@ def __init__(self, connection, configuration):
                                     None,
                                     headers,
                                     url_modifier_function,
-                                    cert_verify=connection.get('selfSignedCert', True)
+                                    cert_verify=connection.get('selfSignedCert')
                                     )
 
     async def ping_data_source(self):